lithops icon indicating copy to clipboard operation
lithops copied to clipboard

Published 20 hours ago verified publisher icon lithops-cloud

[AWS] Use credentials and config from AWS SDK file

Open aitorarjona opened this issue 1 year ago • 4 comments

Fix for #1107

This pull request adds functionality to retrieve AWS SDK config and credentials from the standard config file (~/.aws/config and ~/.aws/credentials) or env vars (more info).

Consequently, it deprecates using aws_access_key_id and aws_secret_access_key in aws Lithops config section.

This approach is not only more secure, as we avoid sending secrets to the runtime via payload, but also we support users with SSO-based accounts, which will need configure a profile in their ~/.aws/config file and retrieve their session credentials dynamically. E.g.:

[profile my-sso-profile]
sso_start_url = https://XXXXXXXX.awsapps.com/start
sso_region = us-east-1
sso_account_id = XXXXXXXXXXX
sso_role_name = XXXXXXXXXXXXXXXXX
region = us-east-1

Summary:

  • Added new parameter in AWS config: config_profile.

Developer's Certificate of Origin 1.1

   By making a contribution to this project, I certify that:

   (a) The contribution was created in whole or in part by me and I
       have the right to submit it under the Apache License 2.0; or

   (b) The contribution is based upon previous work that, to the best
       of my knowledge, is covered under an appropriate open source
       license and I have the right under that license to submit that
       work with modifications, whether created in whole or in part
       by me, under the same open source license (unless I am
       permitted to submit under a different license), as indicated
       in the file; or

   (c) The contribution was provided directly to me by some other
       person who certified (a), (b) or (c) and I have not modified
       it.

   (d) I understand and agree that this project and the contribution
       are public and that a record of the contribution (including all
       personal information I submit with it, including my sign-off) is
       maintained indefinitely and may be redistributed consistent with
       this project or the open source license(s) involved.

aitorarjona avatar Jun 20 '23 14:06 aitorarjona

@JosepSampe please don't merge yet

aitorarjona avatar Jun 20 '23 14:06 aitorarjona

@JosepSampe ready for review and merge

aitorarjona avatar Jul 12 '23 14:07 aitorarjona

@JosepSampe Hi Josep, all requests have been implemented. Please we should need this merged ASAP, we switched to an SSO-based account and the current implementation in main does not work well (and also to be ready for the next release #1137 ). Thanks!

aitorarjona avatar Sep 04 '23 09:09 aitorarjona

My last comments are about the 2 other AWS backend (Batch & EC2).

  • Does the changes made here in the way to configure aws affect to those backends?
  • Is it convenient to copy the changes made in the Lambda docs to the docs of Batch & EC2?
  • In order to adapt the Batch & EC2 backends, is it as simple as copy the relevant code in the __init__ of the Lambda backend to the other 2 backends?

JosepSampe avatar Sep 13 '23 13:09 JosepSampe

Closing for now, #1164 partially solves the issue described

aitorarjona avatar Mar 15 '24 14:03 aitorarjona